gotosocial: Update to 0.22.0
Changes:
- Update go modules depencies.
Pkglint: passed.
Package built and tested tested on NetBSD 10.1 amd64.
WARNING:
- Configuration changes and database schema changes.
- Before starting this new release, first adapt the configuration file,
then do not interrupt as a database migration will take some time.
See https://codeberg.org/superseriousbusiness/gotosocial/releases/tag/v0.22.0
for upgrade instructions.
py-protego: updated to 0.6.2
0.6.2 (2026-06-25)
- Fixed a ReDoS (regular expression denial of service) vulnerability: URL
patterns from ``robots.txt`` ``Allow`` and ``Disallow`` directives were
compiled into regular expressions, where multiple ``*`` wildcards could
cause exponential backtracking. A server could exploit this to cause denial
of service by serving a crafted ``robots.txt`` file. Wildcard matching is
now performed without regular expressions. Please, see the
`CVE-2026-55520`_ and `GHSA-wjmf-p669-5m5p`_ security advisories for more
information.
0.6.1 (2026-06-11)
- Fixed parsing of ``Request-rate`` values where the seconds field has no
time-unit suffix (e.g. ``1/60`` instead of ``1/60s``). Previously the last
digit of the number was silently dropped.
psmisc: updated to 23.7
Changes in 23.7
* build-sys: Make disable-statx work
* fuser: Fallback to stat() if no statx() Debian 1030747
* fuser: silently ignore EACCES when scanning proc directories
* killall: small formatting fixes Debian
* pstree: Do not assume root PID
* pslog: include config.h
* misc: Update gettext to 0.21
py-pandas: updated to 3.0.4
3.0.4
Fixed regressions
Fixed a performance regression in Series.searchsorted() and Index.searchsorted() with the string dtype, where a full O(n) NA scan made the operation much slower than the binary search itself (GH 65837)
Fixed a regression in isin() raising an error when checking for pd.NA with ArrowDtype, which also affected DataFrame.drop() with ArrowDtype-backed indexes (GH 63304)
Fixed a regression in arithmetic operations involving StringDtype and custom Python objects incorrectly raising instead of returning object-dtype results (GH 64107)
Fixed a regression in localizing timestamps beyond the year 2100 when using zoneinfo timezones (GH 65733)
Fixed a regression in setting into a DataFrame with MultiIndex columns and mixed-dtype level silently doing nothing (GH 65118)
Bug fixes
Fixed a bug in DataFrame.iloc() silently ignoring the assignment when setting values with an unordered or duplicated column indexer on a DataFrame whose values are referenced by another object (GH 65446)
Fixed a bug in DataFrame.to_sql() and read_sql_table() when using an ADBC engine where table and schema names were not quoted as SQL identifiers, causing failures for identifiers containing spaces or reserved words, and making it vulnerable to SQL injection (GH 65065)
Fixed a bug in Series.str.__getitem__() raising AttributeError when underlying array is ArrowExtensionArray (GH 65112)
Fixed a bug in Series.str.match() and Index.str.match() with PyArrow-backed string dtypes where a leading ^ only anchored the first branch of an alternation pattern (e.g. r"^foo|bar") (GH 66069)
Fixed a bug in eval() not honoring Copy-on-Write with the Python engine when columns were reused in the expression, causing unexpected mutation of the original DataFrame (GH 65664)
Fixed a bug in arithmetic adding or subtracting a non-tick DateOffset (e.g. offsets.MonthEnd, offsets.QuarterEnd) to datetime data that could cause a segmentation fault when another thread was running concurrently, e.g. under pytest-xdist (GH 66031)
py-scikit-build: updated to 0.19.1
Scikit-build 0.19.1
This is a patch release to add support for Visual Studio 2026.
Features
* Support Visual Studio 18 2026 in :pr:`1186`
Bug fixes
* Correctness bugs found in code review in :pr:`1191`
* Resolve Visual Studio generator environments lazily in :pr:`1193`
Testing
* Add windows-latest job for Visual Studio 2026 in :pr:`1194`
* Convert decorator into fixture in :pr:`1175`
[12 lines not shown]
py-django-treebeard: updated to 5.3.0
5.3.0
Added support for loading data for many-to-many relationships with load_bulk(). These were previously exported when using dump_bulk(), but were not handled when loading the same data.
Fixed an exception arising when running delete() operations on querysets that had a prefetch.
Added a warning when the default manager for a model extending a Treebeard Node class does not subclass the corresponding Treebeard model manager. This will raise an error in the next major release of Treebeard.
tor: updated to 0.4.9.11
0.4.9.11
Security release follows in quick succession after the previous one due to
additional high-priority security issues including one concerning onion
services. We strongly recommend upgrading as soon as possible.
o Major bugfixes (onion services):
- Prevent a race condition where in just the right circumstances a
rendezvous point could man-in-the-middle (impersonate) the onion
service that the client was trying to reach. Fixes bug 41297;
bugfix on 0.3.5.3-alpha.
o Major bugfixes (client):
- Clients no longer assert and exit if an onion service encodes an
all-zero public key for one of its introduction points. Fixes bug
41295; bugfix on 0.3.2.1-alpha.
[22 lines not shown]
GraphicsMagick p5-GraphicsMagick: updated to 1.3.47
1.3.47
Security Fixes:
DPX: Fix subsampling validation logic which was failing due to incorrect logic. This avoids a divide by zero possibility.
JNG writer: Properly handle and report the case where ImageToBlob()returns NULL.
MNG writer: Enforce that MNG only supports a color palette up to 256 colors (ImageMagick CVE-2026-28690).
MagickXImageWindowCommand(): Assure that static buffer does not overflow if the user keeps a numeric key depressed (ImageMagick CVE-2026-33535).
PCD: Prevent an out of bounds read (ImageMagick security advisory GHSA-wrhr-rf8j-r842).
PNG writer: Detect and report an excessively large profile, an other unexpected conditions (ImageMagick CVE-2026-30883).
RenderFreetype(): Use MagickConfirmAccess() to verify that font file name is allowed to be read.
TIFF EXIF IFD writer: Detect and prevent infinite looping (EXIF IFD writer code may be excluded by the -DEXPERIMENTAL_EXIF_TAGS=0 define).
TIFF EXIF IFD writer: Only transfer tags from EXIF and GPS IFDs. Do not transfer tags from the main IFDs.
YUV: Fix validation of 'sampling-factor' argument. (ImageMagick CVE-2026-25799). Given that the argument normally comes from a user (rather than an input file) this seems to be a minor security issue at most.
PS, PS2, PS3: Enforce that width and height dimensions, and total pixels, to/from Ghostscript are within the same limits as specified for GraphicsMagick. This helps avoid Ghostscript-based denial of service opportunities.
SVG: Add validations for element id syntax. Reject invalid attribute values which contain single quotes.
XCF: Report an error if there are no layers. Fix two unsigned integer overflow cases.
[53 lines not shown]
py-matplotlib: updated to 3.11.0
3.11.0
The largest change within this release is a complete overhaul of text and font
processing. Through the use of libraqm, HarfBuzz, SheenBidi, and an updated
release of FreeType, all text should now support modern font features, enabling
full internationalization in all languages. Not all features of these libraries
are supported yet, but we expect this work to enable further improvements in an
easier manner.
Outside of text handling, there are several improvements to 3D Axes,
performance, new accessible colour sequences, flexible figure management, and
more. See the release notes for more information.
py-checkdmarc: updated to 5.17.3
5.17.3
Changed
Narrow the advisory SPF record size check to catch only UnicodeError (raised when a record can't be encoded to UTF-8) instead of swallowing every exception, and log the skip at debug level
Replace the remaining broad except Exception handlers across the package with the specific exception types each block can recover from, so unexpected programming errors surface instead of being masked. As a result, intentional record-validation errors (e.g. MultipleSPFRTXTRecords, MTASTSRecordInWrongLocation) now propagate as their own types rather than being converted to a generic "record not found" error
Modernize type annotations to PEP 604 syntax (X | None and X | Y instead of Optional[X] and Union[X, Y]) throughout the package
Fixed
Declare the supported Python floor with the correct requires-python key (the previous python_requires key is not recognized in a PEP 621 [project] table, so the published metadata advertised no minimum and pip would install on end-of-life Python versions where the modern type-alias syntax fails). Also add per-version Python classifiers for 3.10–3.14
5.17.2
Fixed
Discard TXT records with leading whitespace instead of treating them as valid SPF records, since RFC 7208 section 4.5 requires a record to begin with exactly v=spf1
[4 lines not shown]
